Hello Adolf,
did a fast check for you on ‘Fedora release 37 (Thirty Seven)’ with ‘OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)’ on board.
Searching around in /etc/ssl/openssl.cnf for legacy provider entries and have found this section
# Uncomment the sections that start with ## below to enable the legacy provider.
# Loading the legacy provider enables support for the following algorithms:
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
# Key Derivation Function (KDF): PBKDF1
# In general it is not recommended to use the above mentioned algorithms for
# security critical operations, as they are cryptographically weak or vulnerable
# to side-channel attacks and as such have been deprecated.
[provider_sect]
##default = default_sect
##legacy = legacy_sect
##
##[default_sect]
##activate = 1
##
##[legacy_sect]
##activate = 1
Without changes in OpenSSL config file the following failed connection attempt looks like
2022-12-22 10:37:43 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
🔐 Enter Private Key Password: *********
2022-12-22 10:37:45 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2022-12-22 10:37:45 OpenSSL: error:0308010C:digital envelope routines::unsupported
2022-12-22 10:37:45 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2022-12-22 10:37:45 SIGUSR1[soft,private-key-password-failure] received, process restarting
2022-12-22 10:37:45 Restart pause, 5 second(s)
after uncommenting the legacy mode lines with the following changes
--- /tmp/openssl.cnf 2022-12-22 10:33:54.897165088 +0100
+++ /etc/ssl/openssl.cnf 2022-12-22 10:38:40.678341617 +0100
@@ -57,14 +57,14 @@
# to side-channel attacks and as such have been deprecated.
[provider_sect]
-##default = default_sect
-##legacy = legacy_sect
+default = default_sect
+legacy = legacy_sect
##
-##[default_sect]
-##activate = 1
+[default_sect]
+activate = 1
##
-##[legacy_sect]
-##activate = 1
+[legacy_sect]
+activate = 1
[ ssl_module ]
the PKCS#12 package decryption was successful and the connection has been started and is running
$ sudo openvpn --config testlegacy-TO-IPFire.ovpn
2022-12-22 10:38:46 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-12-22 10:38:46 OpenVPN 2.5.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2022
2022-12-22 10:38:46 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
🔐 Enter Private Key Password: *********
2022-12-22 10:38:49 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-12-22 10:38:49 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
...
Not sure what config files are running on Arch Linux ? Does such entries exist ?
Best,
Erik